On Thu, May 08, 2014 at 05:12:07PM +0200, Dr. Stephen Henson wrote:
> > I don't understand the usefulness of the AKID then. If it's only a
> > hint and can't even be used to exclude certain certificates as
> > issuers, what is it good for?
> >
>
> Disclaimer: I'm just echoing what has been discussed in the PKIX list here
> no passing an opinion ;-)
>
> That said that AKID can be used to prefer one certificate issuer over
> another during path discovery. I'd interpret that to mean that (all things
> being equal) if there are two certificates one of which matches AKID and the
> other does not you would use the AKID match one. However by itself AKID
> mismatch should not exclude a certificate as an issuer.
The Postfix 2.11 DANE code relies on certificates with skid !=
akid->keyid failing X509_check_issued(cert, cert) even though the
subject and issuer DNs may be the same. I really hope that OpenSSL
will not in the future break this assumption.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
